File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- dist/auth/rodit-outbound-credentials.js:6
- Evidence
privateKey: "[REDACTED]",
Security audit
Security checks across malware telemetry and agentic risk
This plugin appears to do what it says: it lets OpenClaw agents exchange A2A messages using disclosed authentication, network routes, and local state storage.
Install only if you intend to expose or contact A2A peers. Keep Passport/NEAR credentials in secrets files or environment variables, require JWT or API-key auth for public endpoints, avoid allowUnauthenticated on the open internet, and enable tlsSkipVerify only for trusted development setups.
62/62 vendors flagged this plugin as clean.
Detected: suspicious.exposed_secret_literal, suspicious.insecure_tls_verification
privateKey: "[REDACTED]",
rejectUnauthorized: false,